PHP 5.5.x < 5.5.31 / 5.6.x < 5.6.17 / 7.0.x < 7.0.2 Multiple Vulnerabilities

Versions of PHP 5.5.x prior to 5.5.31, or 5.6.x prior to 5.6.17, or 7.0.x prior to 7.0.2 are vulnerable to the following issues :

• A use-after-free error exists in the ‘php_wddx_pop_element()’ function in ‘ext/wddx/wddx.c’ that is triggered when handling WDDX packet deserialization. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
• A type confusion flaw exists in the ‘PHP_to_XMLRPC_worker()’ function in ‘ext/xmlrpc/xmlrpc-epi-php.c.’ This may allow a remote attacker to potentially disclose memory contents, crash the process or have a more severe impact.
• A type confusion flaw exists in ‘ext/wddx/wddx.c’ that is triggered when handling session WDDX packet deserialization. This may allow a remote attacker to potentially execute arbitrary code.
• An out-of-bounds read flaw exists in the ‘gdImageRotateInterpolated()’ function in ‘ext/gd/libgd/gd_interpolation.c’ that is triggered when handling background colors. This may allow a remote attacker to cause a crash or potentially disclose memory contents. (CVE-2016-1903)
• A flaw exists in the ‘fpm_log_write()’ function in ‘sapi/fpm/fpm/fpm_log.c’ that is triggered when handling overly long HTTP requests. This may allow a local attacker with permissions to read the access log file to potentially disclose sensitive memory contents.
• A flaw in ‘sapi/litespeed/lsapilib.c’ that is due to the LSAPI module failing to clear its secret in the child processes when handling requests. This may allow a remote attacker to gain access to sensitive information in memory space.
• A flaw exists in the ‘parseRequest()’ function in ‘sapi/litespeed/lsapilib.c’ that is triggered as input passed via multiple variables in LSAPI requests is not properly sanitized. This may allow a remote attacker to cause a denial of service.